Can we really trust cloud computing? Or perhaps more importantly do you trust the cloud? And does the perceived lack of transparency, combined with recent negative headlines, impact future investments...

Give me a break! In the next month, students will get the week off for spring break—a much needed reward after months of hard work and, for some, gnarly winter weather. Spring break means free time,...

The Internet of Things (IoT) is upon us and it is not only moving into our homes through our networks and refrigerators, it is also moving into our bodies through networked medical devices. Wearable, temporarily...

Microsoft Office scripting malware has become more and more common and aggressive lately as malware authors constantly develop new techniques to evade detection and deceive users.
This kind of malware,...

Networked Healthcare and the Internet of Things: Rewards versus Risks

‘Banking’ Malware Dridex Arrives via Phishing Email

Android Malware Promises Video While Stealing Contacts

Recently we discovered a new Android Trojan in the official Google Play market that displays a video downloaded from the Internet–but only if some sensitive information is previously sent to a remote server. The malicious applications are designed for Japanese users and display “trailers” of upcoming video games for Android. Here’s one example:

Or anime/adult Japanese videos:

When the application is about to be installed, two suspicious permissions–read contact data and read phone state and identity–are requested. Neither is needed for the principal purpose of the application, which is to display a video from the Internet. The reason for these requests becomes clear because the first action that the malware takes when it executes is to obtain, in the background, the following sensitive information from the device without the user’s consent:

Android ID: Unlike most Android malware and PUPs (potentially unwanted programs) that gather the IMEI to uniquely identify a device, this malicious application obtains the android_id which according to the Android API is a “64-bit number that is randomly generated on the device’s first boot and should remain constant for the lifetime of the device.”

Phone number: Obtains the phone number of the device. READ_PHONE_STATE permission is required to gather this information.

Contact List: Gets the name, telephone number, and email of every person in the contact list.

While the data is harvested, the victim sees this “loading” message:

Once the information is obtained, the malicious application sends it to a remote server in clear text:

If the data was sent successfully, the application requests a specific video to the same server and displays it using a VideoView component. If the malware fails at its background theft (for example, the device does not have an Internet connection), a message in Japanese says that an error has occurred and the video has not loaded:

So far we have discovered 15 applications from two developers that, according to Google Play statistics, have been downloaded by at least 70,000 users. Due the privacy risk that these applications represent to Android customers, all of them have been removed from the market. McAfee Mobile Security detects these threats as Android/DougaLeaker.A. Users should verify in the Google Play market prior installation that the application does not request permission to perform actions not related to its purpose.